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Abstract 



A quantum encryption scheme (also called private quantum channel, or state randomization pro- 
tocol) is a one-time pad for quantum messages. If two parties share a classical random string, one of 
them can transmit a quantum state to the other so that an eavesdropper gets little or no information 
about the state being transmitted. Perfect encryption schemes leak no information at all about the 
message. Approximate encryption schemes leak a non-zero (though small) amount of information 
but require a shorter shared random key. Approximate schemes with short keys have been shown to 
have a number of applications in quantum cryptography and information theory [Hj. 

This paper provides the first deterministic, polynomial-time constructions of quantum approxi- 
mate encryption schemes with short keys. Previous constructions jSj are probabilistic — that is, they 
show that if the operators used for encryption are chosen at random, then with high probability the 
resulting protocol will be a secure encryption scheme. Moreover, the resulting protocol descriptions 
are exponentially long. Our protocols use keys of the same length as (or better length than) the 
probabilistic constructions; to encrypt n qubits approximately, one needs n + o(n) bits of shared 
key [S] , whereas 2n bits of key are necessary for perfect encryption |3] . 

An additional contribution of this paper is a connection between classical combinatorial deran- 
domization and constructions of pseudo-random matrix families in a continuous space. 

1 Introduction 

A quantum encryption scheme (or private quantum channel, or state randomization protocol) allows 
Alice, holding a classical key 1 , to scramble a quantum state and send it to Bob (via a quantum channel) 
so that (1) Bob, given the key, can recover Alice's state exactly and (2) an adversary Eve who intercepts 
the ciphertext learns nothing about the message, as long as she doesn't know the key. 

* e-mail: ambainis@ias.edu. Supported by NSF grant DMS-0111298. 
^e-mail:csail. mit.edu. Supported by Microsoft Fellowship. 

1 Classical keys are inherently easier to store, distribute and manipulate, since they can be copied. More subtly, 
encryption with a shared quantum key is in many ways a dual problem to encryption with a classical key; see |H] |S| for 
more discussion. 
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There are two variants of this definition. An encryption scheme is called perfect if Eve learns zero 
information from the ciphertext, and approximate if Eve can learn some non-zero amount of information. 
A perfect encryption ensures that the distributions (density matrices) of ciphertexts corresponding to 
different messages are exactly identical, while an approximate scheme only requires that they be very 
close; we give formal definitions further below. In the classical case, both perfect and approximate 
encryption require keys of roughly the same length — n bits of key for n bits of message. In the quantum 
case, the situation is different. 

For perfect encryption, Ambainis et al. |3j showed that 2n bits of key are necessary and sufficient 
to encrypt n qubits. The construction consists of applying two classical one-time pads — one in the 
"standard" basis {|0), |1)} and another in the "diagonal" basis {^(|0) + |1)), ^(|0) - |1))}. 

Approximate encryption was studied by Hayden et al. jSj. They introduced an additional, useful 
relaxation: they show that if the plaintext is not entangled with Eve's system to begin with, then one 
can get approximate quantum encryption using only n + o(n) bits of key — roughly half as many as are 
necessary for perfect encryption. 2 The assumption that Eve's system is unentangled with the message 
is necessary for this result; othwerwise roughly In bits are needed, even for approximate encryption. 
The assumption holds in the quantum counterpart of the one-time pad situation (one party prepares a 
quantum message and sends it to the second party, using the encryption scheme) as long as the message 
is not part of a larger cryptographic protocol. The relaxation also has a host of less cryptographic 
applications, for example: constructing efficient quantum data hiding schemes in the LOCC (local 
operation and classical communication) model; exhibiting "locked" classical correlations in quantum 
states (Hj ; relaxed authentication of quantum states using few bits of key [2] ; and transmitting quantum 
states over a classical channel using n + o(n) bits of communication, rather than the usual 2n bits 
required for quantum teleportation 

The previous constructions of approximate encryption schemes with a shorter key are probabilistic. 
Specifically, Hayden et al. [S] showed that a random set of 2 n+ °( n ) unitary matrices leads to a good 
encryption scheme with high probability (to encrypt, Alice uses the key to choose one of the matrices 
from the set and applies the corresponding operator to her input). However, verifying that a particular 
set of matrices yields a good encryption scheme is not efficient; even writing down the list of matrices 
is prohibitive, since there are exponentially many of them. 

This paper presents the first polynomial time constructions of approximate quantum encryption 
schemes (to relish the oxymoron: derandomized randomization protocols). The constructions run in 
time 0(n 2 ) when the message p consists of n qubits. That is, given the key and the input message, 
Alice can produce the output using 0(n 2 ) steps on a quantum computer. The key length we achieve is 
slightly better than that of the probabilistic construction of [Sj ■ Our results apply to the trace norm on 
matrices; exact results are stated further below. 

2 The result of [Sj highlights an error in the proof of a lower bound on key length of authentication schemes in The 
results of that paper remain essentially correct, but the definition of authentication requires some strengthening, and the 
proof of the lower bound is more involved. 
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The main tools in our construction are small-bias sets ^U] of strings in {0, l} 2n . Such sets have 
proved useful in derandomizing algorithms, constructing short PCPs |0j and the encryption of high- 
entropy messages |12j . Thus, one of the contributions of this paper is a connection between classical 
combinatorial derandomization and constructions of pseudo-random matrix families in a continuous 
space. Specifically, we connect Fourier analysis over C z 2 n to Fourier analysis over the matrices C 2 " x2 ". 
This parallels, to some extent, the connection between quantum error-correcting codes over n qubits 
and classical codes over GF(4) n . 



1.1 Definitions and Previous Work 

We assume that the reader is familiar with the basic notation of quantum computing (see for 
an introduction). Syntactically, an approximate quantum encryption scheme is a set of 2 k invertible 
operators {E k \k € {0, l} fc }. The E K 's may be unitary, but need not be: it is sufficient that one be able 
to recover the input p from the output E K (p), which may live in a larger-dimensional space than p. 
Each E K takes n qubits as input and produces n' > n qubits of output. If nf = n then each operator 
E K corresponds to a unitary matrix: E K (p) = U K pU\. 

For an input density matrix 3 p, the density matrix of the ciphertext from the adversary's point of 
view is: 

£(p)=E K [E K (p)} = ± Yl E ^P) 

K6{0,l} fe 

When the scheme is length-preserving, this yields 

Definition 1. The set of operators {E K } is an approximate quantum encryption scheme (state random- 
ization scheme) with error e on n qubits if 



for all density matrices p on n qubits: D(£(p), ~^pE) 



£(p) - 



r<e. (1) 



Here •) refers to the trace distance between density matrices. The trace norm of a matrix a is 
the trace of the absolute value of a (equivalently, the sum of the absolute values of the eigenvalues). 
The trace distance between two matrices p, a is 

D {P,°) = \\P ~ °\\tr = Tr(|p - a\) 



This norm plays the same role for quantum states as statistical difference does for probability dis- 
tributions: the maximum probability of distinguishing between two quantum states p, a via a single 
measurement is 

\ + \D{p,a). 

Hayden et al. [S] actually considered randomization schemes with respect to two norms: the oo- 
norm ("operator norm") and the trace norm. In this paper, we consider schemes for the trace norm, 
though our proofs go through the Frobenius norm. Constructing explicit randomization schemes for the 
oo-norm remains an interesting open problem. 

3 Recall that for a pure state \<j)), the density matrix p is \(j)){<f>\. 
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Remark 1. This definition of quantum encryption implicitly assumes that the message state p is not 
entangled with the adversary's system. Without that assumption the definition above is not sufficient, 
and it is not possible to get secure quantum encryption using n(l + o(l)) bits of key (roughly 2n bits are 
provably necessary). Thus, this sort of construction is not universally useful in cryptographic contexts, 
but nevertheless has many applications (described above). 

Previous Work Ambainis et al. [Hj considered perfect encryption; this corresponds to the case where 
e = 0. The choice of matrix norm is irrelevant there, since £{p) = i^jl- As mentioned above, they 
showed that In bits of key are necessary and sufficient. The construction uses the key to choose one of 
2 2n Pauli operators (defined below) and applies that to the input state. 

Hayden et al. [H] showed that a set of 0(n 2 2 n /e 2 ) unitary operators suffices (for both the oo-norm 
and the trace norm). For the trace norm, they even showed that a random set of Pauli matrices (see 
below) would suffice. This means that for encrypting n qubits, they presented a non-polynomial-time 
scheme requiring n + 2 log n + 2 log Q) + 0(1) bits of key. 

1.2 Our Results 

We present three explicit, polynomial time constructions of approximate state randomization protocols 
for the trace norm. All are based on exisiting constructions of 5-biased sets l2*| IT], or on families of 
sets with small average bias. The three constructions are explained and proven secure in Sections 13.11 
13.21 and 13.31 resepctively. 

The first construction is length-preserving, and requires 



bits of key, thus matching the performance of the non-explicit construction. The second construction is 
length-doubling: it encodes n qubits into n qubits and In classical bits but uses a shorter key: only 



bits of key are required. Both of these constructions are quite simple, and are proven secure using the 
same Fourier-analytic technique. 

The final construction has a more sophisticated proof, but allows for a length-preserving scheme with 
slightly better dependence on the number of qubits: 



bits of key. The right-hand term provides a better bound when e > — . 

More generally, Fourier analysis over the cube {0, l} n has provided a rich set of tools for understanding 
classical boolean functions and distributions on {0, l} n . We hope the ideas in this paper indicate how 
some of the classical results can be transposed to yield new results in quantum information theory. 

2 Preliminaries 

Small-Bias Spaces The bias of a random variable A in {0, l} n with respect to a string a £ {0, l} n 
is the distance from uniform of the bit aO A, where refers to the standard dot product on Z?> : 




n + 2 log 




n + min < 2 log n + 2 log 




A{a) = E A [(-l) a&A ] = 2Pr[a A = 0] - 1. 
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The function A is the Fourier transform of the probability mass function of the distribution, taken over 
the group ZJ;. 

The bias of a set S £ {0, l} n with respect to a is simply the bias of the uniform distribution over 
that set. A set S is called 5-biased if the absolute value of its bias is at most 5 for all a^O™. 

Small-bias sets were first considered in derandomization theory by Naor and Naor ^U|. Alon, Bruck 
et al. (ABNNR, pQ) gave explicit (i.e. deterministic, polynomial-time) constructions of 5-biased sets in 
{0, l} n with size 0(n/5 3 ). Constructions with size 0(n 2 /5 2 ) were provided by Alon, Goldreich, et al. 
(AGHP, The AGHP construction is better when 5 = o(l/n). In both cases, the i th string in a set 
can be constructed in roughly n 2 time (regardless of 5). 

One can sample a random point from a 5-biased space over {0, 1}™ using either log n+3 log(l/5)+0(l) 
bits of randomness (using ABNNR) or using 21ogn + 21og(l/5) bits (using AGHP). 

Small-bias Set Families One can generalize small bias to families of sets (or random variables) by 
requiring that on average, the bias of a random set from the family with respect to every a is low 
(Dodis and Smith [7j). Specifically, the expectation of the squared bias must at most 5 2 . Many results 
on 5-biased sets also hold for 5-biased families, which are easier to construct. 

Definition 2. A family of random variables (or sets) {Ai} ieI is 5-biased if 

< 5 for all a ^ n . 
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Note that this is not equivalent, in general, to requiring that the expected bias be less than 5. There 
are two important special cases: 

1. If S is a 5-biased set, then {S} is a 5-biased set family with a single member; 

2. A family of linear spaces {C{\ ieI is 5-biased if no particular word is contained in the dual C t - of 
a random space Cj from the family with high probability. Specifically: 



if a C- 
if a £ C- 



Ci(a) = | J 

Hence a family of codes is 5-biased if and only if Pr^/[a E C^-] < 5 2 , for every Note that 

to meet the definition, for linear codes the expected bias must be at most S 2 , while for a single 
set the bias need only be 5. 

One can get a good 5-biased family simply by taking {Cj} to be the set of all linear spaces of 
dimension k. The probability that any fixed non-zero vector a lies in the dual of a random space is 
exactly S 2 = 2 2 n ~\ ' which is at most 2~ k . 

One can save some randomness in the choice of the space using a standard pairwise independence 
construction. View {0, l} n as GF(2 n ), and let K C GF(2 n ) be an additive subgroup of size 2 k . For 
every non-zero string a, let the space C a be given by all multiples an, where k £ K. The family 
{C a | a £ GF(2 n ),a ^ 0} has the same bias as the set of all linear spaces (5 < 2~ fc / 2 ), and n bits of 
randomness are needed to choose a set in the family. 

Entropy of Quantum States As with classical distributions, there are several ways to measure the 
entropy of a quantum density matrix. We'll use the analogue of collision entropy (a.k.a. Renyi entropy). 
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For a classical random variable A on {0, l} n , the collision probability of two independent samples of 
X is p c = Pv[A = a] 2 . The Renyi entropy of A is H2{A) = — logp c . 

For a quantum density matrix p, the analogous quantity is H2(p) = — logTr(/9 2 ). If the eigenvalues 
of p are {p x }, then the eigenvalues of p 2 are {p 2 }, and so Tr(p 2 ) is exactly the collision probability of 
the distribution obtained by measuring p in a basis of eigenvectors. 

Fact 2.1. // p describes a state in d- dimensional space and Tr(p 2 ) < ^(1 + e 2 ), then D(p, ^1) < e. 



Pauli matrices The 2x2 Pauli matrices are generated by the matrices: 




Pauli matrices and their opposites: {±I,±J,±Z,iXZ}. 

If u and v are n-bit strings, we denote the corresponding tensor product of Pauli matrices by X U Z V . 
That is, if we write u = (ul,...,u n ) and v = (v±, v n ), then 

x u z v = X ui z v! ^ . . . X u„ z v n 

(The strings x and z indicate in which positions of the tensor product X and Z appear, respectively.) 
The set {X U Z V \ u, v G {0, l} n } forms a basis for the 2 n x 2 n complex matrices. The main facts we will 
need are given below: 

1. Products of Pauli matrices obey the group structure of {0, l} 2n up to a minus sign. That is, 
(X U Z V ) [X a Z^) = (^—\^ a( 3 v x u ® a Z v ®^ 

2. Any pair of Pauli matrices either commutes or anti-commutes. That is, 

(X u Z v )(X a Z b ) = (-l) uQb+vQa (X a Z b )(X u Z v ). 

3. The trace of X U Z V is if (u,v) + 2n (and otherwise it is Tr(I) = 2 n ). 

4. (X u Z v y = Z V X U = (-l) u ® v X u Z v 

Pauli matrices and Fourier Analysis The Pauli matrices form a basis for the set of all 2 n x 2 n 

matrices. Given a density matrix p, we can write 

p= Yl <*u,vX u Z v . 

u,vE{0,l} n 

This basis is orthonormal with respect to the inner product given by iTr(At£), where A,B arc 
square matrices. That is: 

±Tr((X u Z v yX a Z b ) = S a>u 6 b>v . 

Thus, the usual arithmetic of orthogonal bases (and Fourier analysis) applies. One can immediately 
deduce certain properties of the coefficients a u<v in the decomposition of a matrix p. First, we have a 
formula for a UiV : 

a u , v = ±Tv(Z v X u p). 
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Second, the squared norm of p is given by the squared norm of the coefficients. 

^Tr(p^p) = ^ \a u , v \ 2 

u,v 

Since p is a density matrix, it is Hermitian (p' = p). One can use this fact, and our formula for the 
coefficients a U| „, to get a compact formula for the entropy in terms of the decomposition in the Pauli 
basis: 

u,v 



3 State Randomization and Approximate Encryption 
3.1 Encrypting with a Small-Bias Space 

The ideal quantum one-time pad applies a random Pauli matrix to the input 3 . Consider instead a 
scheme which first chooses a 2ra-bit string from some set with small bias 5 (we will set 5 later to be 
roughly 8 = e2~ n / 2 ). If the set of strings is B we have: 



l 

W\ 



x a z b Po z b x a 

(a,b)eB 



E 



a.b 



X a Z b p Z b X a 



That is, we choose the key from the set B, which consists of 2n-bit strings. To encrypt, we view a 2n-bit 
string as the concatenation (a, b) of two strings of n bits, and apply the corresponding Pauli matrix. 

(The intuition comes from the proof that Cayley graphs based on e-biased spaces are good expanders: 
applying a Pauli operator chosen from a 5-biased family of strings to po will cause all the Fourier 
coefficients of po to be reduced by a factor of 5, which implies that the collision entropy of po also gets 
multiplied by 5. We expand on this intuition below. ) 

As a first step, we can try to see if a measurement given by a Pauli matrix X U Z V can distinguish 
the resulting ciphertext from a totally mixed state. More explicitly, we perform a measurement which 
projects the ciphertext onto one of the two eigenspaces of the matrix X U Z V . We output the correspond- 
ing eigenvalue. (All Pauli matrices have two eigenvalues with eigenspaces of equal dimension. The 
eigenvalues are always either —1 and 1 or —i and i.) 

To see how well a particular Pauli matrix X U Z V will do at distinguishing, it is sufficient to compute 

\Tr(X u Z v £( Po ))\. 

This is exactly the statistical difference between the Pauli measurement's outcome and a uniform 
random choice from the two eigenvalues. We can compute Tr(X u Z v £ (po)) explicitly: 



Tr(X u Z v £(po)) 



E, 



a.b 



Tr (X u Z v ¥. {amB [X a Z b Po Z v X l 
E atb hi(X u Z v X a Z b p Z b X a ) 
E atb \Ti(Z b X a X u Z v X a Z b p ) 



(-1) 



aQv+bQu 



Ti{X u Z v p Q ) 
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Since a Q v + b Q u is linear in the concatenated 2n-bit vector (a, b), we can take advantage of the 
small bias of the set B to get a bound: 



\Tr(X u Z v S(po))\<8\Tr(X u Z v p )\ 

Equivalently: if we express po in the basis of matrices X M Z V , then each coefficient shrinks by a 
factor of at least 5 after encryption. We can now bound the distance from the identity by computing 
Tr(£(po) 2 ): 

Tr(£(po) 2 ) = ^J2\ TT ( XUZV£ ^\ 2 ^^ + ^ E \MX u Z v Po )\ 2 <l-(l + 8 2 2 n Tr( P l)) 

u,v (u,v)=/=0 2n 

Setting 5 = \/2e2~ n / 2 , we get approximate encryption for all states (since Tr(pg) < 1)- Using the 
constructions of AGHP [2] for small-bias spaces, we get a polynomial-time scheme that uses n + 2 log n + 
21og(i) bits of key. 

3.2 A Scheme with Shorter Key Length 

We can improve the key length of the previous scheme using 5-biased families of sets. The tradeoff is 
that the resulting states are longer: the ciphertext consists of n qubits and 2n classical bits. In classical 
terms, the encryption algorithm uses additional randomness which is not part of the shared key; in 
the quantum computing model, however, that randomness is "free" if one is allowed to discard ancilla 
qubits. 



Lemma 3.1. If {Ai} ieI is a family of subsets of{0, l} 2n with average square bias 5 2 , then the operator 

£(p )=K ie x \i) (i\ ® l&abeAi 
is an approximate encryption scheme for n qubits with leakage e whenever 5 < e2~ n l 2 . 



X a Z b p Z b X a 



Before proving the lemma, we give an example using the small-bias set family from the preliminaries. 
View the key set {0, l} k as an additive subgroup K of the field F = GF(2 2n ). For every element a G F, 
define the set C a = {ok\k E K}. The family C a has bias 5 < 2~ k l 2 . The corresponding encryption 
scheme takes a key k G {0, l} k C GF(2 2n ): 



£{po;k) 



Choose a ^ R GF(2 2n ) \ {0} 

Write ctK = (a, b), where a, b G {0, l} n 

Output the classical string a and the quantum state X a Z b poZ b X a 



With a quantum computer, random bits are not really necessary for choosing a; it is sufficient to 
prepare 2n EPR pairs and discard one qubit from each pair. For the scheme to be secure, the bias 5 
should be at most y/ e/2 n , and so the key only needs to be n + 2 log Q) bits long. The main disadvantage 
is that the length of the ciphertext has increased by 2n classical bits. 

Proof. As before, the proof will use elementary Fourier analysis over the hypercube Z| n , and intuition 
comes from the proof that Cayley graphs based on e-biased set families are also expanders. 

Think of the output of the encryption scheme as a single quantum state consisting of two systems: 
the first system is a classical string describing which member of the <5-biased family will be used. The 
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second system is the encrypted quantum state. To complete the proof, it is enough to bound the collision 
entropy of the entire system by jj™ (1 + 2e 2 ). 

For each i G I (that is, for each member of the set family), let pi denote the encryption of po with 
a random operator from the set A{. The first step of the proof is to show that the collision entropy of 
the entire system is equal to the average collision entropy of the states p^. 

Claim 3.2. Tr(£(p ) 2 ) = j^*-/ [Hp 2 )] 

Proof. We can write £ (po) = ^ ^2% K)(*l ® Pi- Then we have 

Tr(£(p ) 2 ) = ^ i , j Tr((\i)(i\\j)(j\)®p iPj ) 
Since = 5 i: j, we get Tr(£(>o) 2 ) = j^p Y.i Tr (p 2 )) as desired. □ 
Take any string w = (u,v) G {0, l} 2n , where u, v G {0,1}™. Recall that Ai(u,v) is the ordinary 



Fourier coefficient (over Z| n ) of the uniform distribution on Ai, that is Ai(u,v) 



E 



[(_l)O0t 



From the previous proof, we know that 

Tr(X u Z v Pi ) = Ai(v,u) ■ Ti(X u Z v p ). 
We can compute the now average collision entropy of the states pi. Using linearity of expectations: 



E, [Tr(p 2 



E 



± + ± Yl ^[Mv,u) 2 ]\Tt(X u Z v Po )\ 2 



The expression Ej Ai{v,u) 2 is exactly the quantity bounded by the (squared) bias S 2 . As in the 
previous proof, the entropy Tr(£(p ) 2 ) is bounded by ™(1 + 5 2 2 n Tr(pg)). By our choice of 5, the 
entropy is at most 27rjj[(l + e 2 ), and so £(pq) is within trace distance e of the completely mixed state. □ 



3.3 Hybrid Construction 

Let d be a prime between 2 n and 2 n+1 . Then, it suffices to show how to randomize a state in a d- 
dimensional space TCd spanned by \i), i G {0, 1, . . . , d — 1}, since a state on n qubits can be embedded 
into 7i d . We define X and Z on this space by X\j) = \{j + 1) mod d) and Z\j) = e 2wij/d \j). Notice that 
X j Z k = e 2ni(jk)/d z k X j and ( X iZ k )^ = Z~ k X~i. (The definitions of X and Z are different than in the 
previous sections, since we are operating on a space of prime dimension). 

We start with a construction that uses n + 1 bits of randomness and achieves approximate encryption 
for e = 1. (Notice that this is a non-trivial security guarantee. The trace distance between perfectly 
distinguishable states is 2. Distance 1 means that the state cannot be distinguished from k with success 
probability more than 3/4.) We will then extend it to any e > 0, using more randomness. 
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Let 

d-l 



8{p) = ^^X a Z a2 pZ~ a2 X~ a . 

Claim 3.3. 



d 

a=l 



Proof. Let p' = £{p). 



Tr(8{p) 2 )<- d {l+Tr{p 2 )). 



ij i hj-i^j 



The first sum is equal to d-^ = \ because p' u = \ Ylt=i Pkk = 3- To calculate the second sum, we split 
it into sums St = X^i Pi,i+t(p'i,i+t)* for i = 1,2, . . . ,d — 1. (In the indices for pij and p'^, we use i + t as 
a shortcut for {i + i) mod d.) We have 



/ _ 1 a 2 * 

Pi,i+t — 2 2^/ W Pi-a,i-a+t, 
a=0 



where w is the (P h root of unity. 



1 r' 1 

Pi,i+t(Pi,i+tT = 32 l^+«,«+*+«| 2 + X] _a ^ Pi-at+t-aiPi-bj+t-b)* 



d 2 

Therefore, 



a=0 a,b,a^b 



where 



S t — ^ ^ I 2 + ^2 X] C i,jPi,i+t(Pj,j+t) 

i=l ijtj 



w 



a*2(i—j)t 



Since d is a prime, 2(z — j)t is not divisible by d. Therefore, ^ a w a * 2 ( l ^ = 0, Cj,- = 0, 5t 

aEf=i IPi,i+*l 2 and 

Tr{(pi?) = \ + - d Y.\Pv\ 2 - 



□ 



By fact O D(E(p),t) < 1. 

We now improve this construction to any e. Let B be an e-biased set on m = [logd] bits. For 
b £ {0, l} m , define a unitary transformation [/;, as follows. Identify numbers 0, 1, . . . , d — 1 with strings 
x £ {0, l} m . Define ?7&|x) = (— l) 60:c |2;), with 6 x being the usual (bitwise) inner product of b and x. 
(Note that Uf, is just to the Z operator over a different group. It is the same Z operator used in the 
previous sections). Let 

£'(p) = E u *p u * and s "o>) = £ ( £ '(p))- 
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We claim that £" is e-approximate encryption scheme. W.l.o.g., assume that p is a pure state = 
Ci\i). Then pij = CiC*. Let p' = jj^ J2beB ^bpU\ be the result of encrypting p by £'. Then, 

p'*y = m E(- 1 ) 60x+60 v^ = m E< 

' ' bt=B ' ' bt=B 

Since B is e-biased, \p' xy \ < e\p xy \ for any x,y, x / y. Therefore, Ylx^y \p'xy\ < e X^2/ Together 
with Claim l3~31 and fact 12. H this implies that £" is e-randomizing. The number of key bits used by £" 
is n + log |.B| + O(l) which is n + 21ogn + 2 log - if AGHP scheme is used and n + logn + 3 log - if 
ABNNR is used. The first bound is the same as the one achieved by using small-bias spaces directly 
(Sectioning). The second bound gives a better result (as long as e > ^). 
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